Skip to content

containerd configuration#

containerd is an industry-standard container runtime.

NOTE: In most use cases changes to the containerd configuration will not be required.

In order to make changes to containerd configuration first you need to generate a default containerd configuration by running:

containerd config default > /etc/k0s/containerd.toml
This command will set the default values to /etc/k0s/containerd.toml.

k0s runs containerd with the following default values:

/var/lib/k0s/bin/containerd \
    --root=/var/lib/k0s/containerd \
    --state=/var/lib/k0s/run/containerd \
    --address=/var/lib/k0s/run/containerd.sock \

Before proceeding further, add the following default values to the configuration file:

version = 2
root = "/var/lib/k0s/containerd"
state = "/var/lib/k0s/run/containerd"

  address = "/var/lib/k0s/run/containerd.sock"

Next if you want to change CRI look into this section

[plugins."io.containerd.runtime.v1.linux"] shim = "containerd-shim" runtime = "runc"

Using gVisor#

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.

First you must install the needed gVisor binaries into the host.

  set -e
  wget ${URL}/runsc ${URL}/runsc.sha512 \
    ${URL}/gvisor-containerd-shim ${URL}/gvisor-containerd-shim.sha512 \
    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
  sha512sum -c runsc.sha512 \
    -c gvisor-containerd-shim.sha512 \
    -c containerd-shim-runsc-v1.sha512
  rm -f *.sha512
  chmod a+rx runsc gvisor-containerd-shim containerd-shim-runsc-v1
  sudo mv runsc gvisor-containerd-shim containerd-shim-runsc-v1 /usr/local/bin

See gVisor install docs

Next we need to prepare the config for k0s managed containerD to utilize gVisor as additional runtime:

cat <<EOF | sudo tee /etc/k0s/containerd.toml
disabled_plugins = ["restart"]
  shim_debug = true
  runtime_type = "io.containerd.runsc.v1"

Then we can start and join the worker as normally into the cluster:

k0s worker $token

By default containerd uses nromal runc as the runtime. To make gVisor runtime usable for workloads we must register it to Kubernetes side:

cat <<EOF | kubectl apply -f -
kind: RuntimeClass
  name: gvisor
handler: runsc

After this we can use it for our workloads:

apiVersion: v1
kind: Pod
  name: nginx-gvisor
  runtimeClassName: gvisor
  - name: nginx
    image: nginx

We can verify the created nginx pod is actually running under gVisor runtime:

# kubectl exec nginx-gvisor -- dmesg | grep -i gvisor
[    0.000000] Starting gVisor...

Using custom nvidia-container-runtime#

By default CRI is set tu runC and if you want to configure Nvidia GPU support you will have to replace runc with nvidia-container-runtime as shown below:

    shim = "containerd-shim"
    runtime = "nvidia-container-runtime"

Note To run nvidia-container-runtime on your node please look here for detailed instructions.

After changes to the configuration, restart k0s and in this case containerd will be using newly configured runtime.